mirror of
https://github.com/strukturag/nextcloud-spreed-signaling
synced 2024-06-08 00:42:25 +02:00
stats: Support configuring subnets for allowed IPs.
This commit is contained in:
parent
91ab020c3f
commit
1e8dd56f7e
|
@ -52,6 +52,28 @@ const (
|
||||||
sessionIdNotInMeeting = "0"
|
sessionIdNotInMeeting = "0"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func parseIPNet(s string) (*net.IPNet, error) {
|
||||||
|
var ipnet *net.IPNet
|
||||||
|
if strings.ContainsRune(s, '/') {
|
||||||
|
var err error
|
||||||
|
if _, ipnet, err = net.ParseCIDR(s); err != nil {
|
||||||
|
return nil, fmt.Errorf("invalid IP address/subnet %s: %w", s, err)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
ip := net.ParseIP(s)
|
||||||
|
if ip == nil {
|
||||||
|
return nil, fmt.Errorf("invalid IP address %s", s)
|
||||||
|
}
|
||||||
|
|
||||||
|
ipnet = &net.IPNet{
|
||||||
|
IP: ip,
|
||||||
|
Mask: net.CIDRMask(len(ip)*8, len(ip)*8),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return ipnet, nil
|
||||||
|
}
|
||||||
|
|
||||||
type BackendServer struct {
|
type BackendServer struct {
|
||||||
hub *Hub
|
hub *Hub
|
||||||
events AsyncEvents
|
events AsyncEvents
|
||||||
|
@ -65,7 +87,7 @@ type BackendServer struct {
|
||||||
turnvalid time.Duration
|
turnvalid time.Duration
|
||||||
turnservers []string
|
turnservers []string
|
||||||
|
|
||||||
statsAllowedIps map[string]bool
|
statsAllowedIps []*net.IPNet
|
||||||
invalidSecret []byte
|
invalidSecret []byte
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -100,20 +122,26 @@ func NewBackendServer(config *goconf.ConfigFile, hub *Hub, version string) (*Bac
|
||||||
}
|
}
|
||||||
|
|
||||||
statsAllowed, _ := config.GetString("stats", "allowed_ips")
|
statsAllowed, _ := config.GetString("stats", "allowed_ips")
|
||||||
var statsAllowedIps map[string]bool
|
var statsAllowedIps []*net.IPNet
|
||||||
if statsAllowed == "" {
|
for _, ip := range strings.Split(statsAllowed, ",") {
|
||||||
log.Printf("No IPs configured for the stats endpoint, only allowing access from 127.0.0.1")
|
ip = strings.TrimSpace(ip)
|
||||||
statsAllowedIps = map[string]bool{
|
if ip != "" {
|
||||||
"127.0.0.1": true,
|
i, err := parseIPNet(ip)
|
||||||
}
|
if err != nil {
|
||||||
} else {
|
return nil, err
|
||||||
log.Printf("Only allowing access to the stats endpoing from %s", statsAllowed)
|
|
||||||
statsAllowedIps = make(map[string]bool)
|
|
||||||
for _, ip := range strings.Split(statsAllowed, ",") {
|
|
||||||
ip = strings.TrimSpace(ip)
|
|
||||||
if ip != "" {
|
|
||||||
statsAllowedIps[ip] = true
|
|
||||||
}
|
}
|
||||||
|
statsAllowedIps = append(statsAllowedIps, i)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(statsAllowedIps) > 0 {
|
||||||
|
log.Printf("Only allowing access to the stats endpoint from %s", statsAllowed)
|
||||||
|
} else {
|
||||||
|
log.Printf("No IPs configured for the stats endpoint, only allowing access from 127.0.0.1")
|
||||||
|
statsAllowedIps = []*net.IPNet{
|
||||||
|
{
|
||||||
|
IP: net.ParseIP("127.0.0.1"),
|
||||||
|
Mask: net.CIDRMask(32, 32),
|
||||||
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -745,15 +773,33 @@ func (b *BackendServer) roomHandler(w http.ResponseWriter, r *http.Request, body
|
||||||
w.Write([]byte("{}")) // nolint
|
w.Write([]byte("{}")) // nolint
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (b *BackendServer) allowStatsAccess(r *http.Request) bool {
|
||||||
|
addr := getRealUserIP(r)
|
||||||
|
if strings.Contains(addr, ":") {
|
||||||
|
if host, _, err := net.SplitHostPort(addr); err == nil {
|
||||||
|
addr = host
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ip := net.ParseIP(addr)
|
||||||
|
if ip == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
allowed := false
|
||||||
|
for _, i := range b.statsAllowedIps {
|
||||||
|
if i.Contains(ip) {
|
||||||
|
allowed = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return allowed
|
||||||
|
}
|
||||||
|
|
||||||
func (b *BackendServer) validateStatsRequest(f func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
func (b *BackendServer) validateStatsRequest(f func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
|
||||||
return func(w http.ResponseWriter, r *http.Request) {
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
addr := getRealUserIP(r)
|
if !b.allowStatsAccess(r) {
|
||||||
if strings.Contains(addr, ":") {
|
|
||||||
if host, _, err := net.SplitHostPort(addr); err == nil {
|
|
||||||
addr = host
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if !b.statsAllowedIps[addr] {
|
|
||||||
http.Error(w, "Authentication check failed", http.StatusForbidden)
|
http.Error(w, "Authentication check failed", http.StatusForbidden)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,6 +32,7 @@ import (
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
|
"net/textproto"
|
||||||
"net/url"
|
"net/url"
|
||||||
"reflect"
|
"reflect"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -1689,3 +1690,73 @@ func TestBackendServer_TurnCredentials(t *testing.T) {
|
||||||
t.Errorf("Expected the list of servers as %s, got %s", turnServers, cred.URIs)
|
t.Errorf("Expected the list of servers as %s, got %s", turnServers, cred.URIs)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestBackendServer_StatsAllowedIps(t *testing.T) {
|
||||||
|
config := goconf.NewConfigFile()
|
||||||
|
config.AddOption("stats", "allowed_ips", "127.0.0.1, 192.168.0.1, 192.168.1.1/24")
|
||||||
|
_, backend, _, _, _, _ := CreateBackendServerForTestFromConfig(t, config)
|
||||||
|
|
||||||
|
allowed := []string{
|
||||||
|
"127.0.0.1",
|
||||||
|
"127.0.0.1:1234",
|
||||||
|
"192.168.0.1:1234",
|
||||||
|
"192.168.1.1:1234",
|
||||||
|
"192.168.1.100:1234",
|
||||||
|
}
|
||||||
|
notAllowed := []string{
|
||||||
|
"192.168.0.2:1234",
|
||||||
|
"10.1.2.3:1234",
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, addr := range allowed {
|
||||||
|
t.Run(addr, func(t *testing.T) {
|
||||||
|
r1 := &http.Request{
|
||||||
|
RemoteAddr: addr,
|
||||||
|
}
|
||||||
|
if !backend.allowStatsAccess(r1) {
|
||||||
|
t.Errorf("should allow %s", addr)
|
||||||
|
}
|
||||||
|
|
||||||
|
r2 := &http.Request{
|
||||||
|
RemoteAddr: "1.2.3.4:12345",
|
||||||
|
Header: http.Header{
|
||||||
|
textproto.CanonicalMIMEHeaderKey("x-real-ip"): []string{addr},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
if !backend.allowStatsAccess(r2) {
|
||||||
|
t.Errorf("should allow %s", addr)
|
||||||
|
}
|
||||||
|
|
||||||
|
r3 := &http.Request{
|
||||||
|
RemoteAddr: "1.2.3.4:12345",
|
||||||
|
Header: http.Header{
|
||||||
|
textproto.CanonicalMIMEHeaderKey("x-forwarded-for"): []string{addr},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
if !backend.allowStatsAccess(r3) {
|
||||||
|
t.Errorf("should allow %s", addr)
|
||||||
|
}
|
||||||
|
|
||||||
|
r4 := &http.Request{
|
||||||
|
RemoteAddr: "1.2.3.4:12345",
|
||||||
|
Header: http.Header{
|
||||||
|
textproto.CanonicalMIMEHeaderKey("x-forwarded-for"): []string{addr + ", 1.2.3.4:23456"},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
if !backend.allowStatsAccess(r4) {
|
||||||
|
t.Errorf("should allow %s", addr)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, addr := range notAllowed {
|
||||||
|
t.Run(addr, func(t *testing.T) {
|
||||||
|
r := &http.Request{
|
||||||
|
RemoteAddr: addr,
|
||||||
|
}
|
||||||
|
if backend.allowStatsAccess(r) {
|
||||||
|
t.Errorf("should not allow %s", addr)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue